Dozens of Top Porn Sites Abused to Distribute Malware via Ad Network

Last week, dozens of top adult sites across the Internet were hit with a massive malware attack, caught distributing malware to the millions with a Flash-based infection via a rogue advertiser abusing the adult ad network.

Top adult sites found themselves under attack of a massive malvertising campign last week, when an external ad network began to distribute malicious ads to the visitors of the adult sites. A number of top adult domains found themselves under attack, including:

drtuber[dot]com 60.2 Million Monthly Visitors

hardsextube[dot]com 43.7 M

justporno[dot]tv 32.5 M

alphaporno[dot]com 24.9 M

eroprofile[dot]com 18 M

pornerbros[dot]com 16.6 M

pichunter[dot]com 6.6 M

iceporn[dot]com 6.4 M

tubewolf[dot]com 6.2 M

winporn[dot]com 5.4 M

Among Dozens of Others

The sites total traffic combined accumulates over 250+ million monthly visitors. The domains rank among the top free adult sites in the world, some even owned by the largest adult networks in the industry today.

To obfuscate detection, the fraudulent ad uses a Flash advert to execute the exploit, making it much harder to detect or pinpoint intrusions of where the infection is rooted.

The ad targeted was a sexual enhancement pill, behind the ad was malicious code that would abuse the exploit immediately, regardless if the victim clicked the ad or not. What’s staggering is the Flash code executed on demand, meaning the victim was not apart of a targeted attack, simply viewing the ad could lead to the infection of your machine.

The Flash exploit abused in the advert is not your average Flash exploit, and could be easily be looked over as a legitimate ad, Malwarebytes reported.

For the initial infection, the victim must request and advert from the advertisers. Meaning the victim will visit the adult site and the ad will automatically start to load. Once this begins, the targeted ad network, AdXpansion loads the external URL.

“This advertiser is clearly not legitimate as the sole purpose of their platform is to deliver the malicious Flash-based advert/exploit” Jérôme Segura, senior security researcher at Malwarebytes lab wrote in a blog post. “This Flash file is also quite different from most Flash exploits we see and could easily be overlooked as legitimate.”

Once AdXpansion serves the malicious ad, if your version of Flash Player is vulnerable, you will be immediately infected with any exploit kit the malware authors chooses to serve. Flash Player versions up until version 17.0.0.134 released less than two months ago are all vulnerable to the exploit.

This is not the first time major porn sites have been hit with a malware-based ad attack. Just two weeks ago, the second largest porn site online was hit by a massive malware campign, infecting some tens of thousands of their over 500 million monthly website visitors.

AdXpansion has removed all advertisers in question and adult sites using their service are safe from the malware once again.